GROUP POLICY
Group Policy is a hierarchical infrastructure which allows systems administrators to configure computer and user settings from a central location. Group Policy is often associated with Microsoft Active Directory. However other applications use Group Policies. For example, Sophos Enterprise Console. GROUP POLICY
ACTIVE DIRECTORY GROUP POLICY Group Policy is a very powerful tool and must be used with caution. Do not apply Group Policies because you can. Group Policies must be used to meet a Business Need. You can potentially lock yourself out of Active Directory if you don’t use Group Policies correctly. For example if you apply a policy to “Deny logon locally” to all users, no one, including the Administrator would be able to log on. The only way to fix this would be to restore AD from a previous backup. Whenever possible, changes to Group Policies should be approved through a peer review process such as ITIL Change Management.
ACTIVE DIRECTORY GROUP POLICIES In Active Directory, Group Policies are applied to Organizational Units (OUs). Group Policies can be applied to Users and/or Computers within each OU Group Policies are managed using the Group Policy Management Console (see also gpedit.msc on local computer). Group Policies can also be managed with command- line tools such as gpresult and gpupdate From Windows Server 2008, Microsoft introduced Group Policy Preferences to provide better targeting and flexibility.
GROUP POLICY MANAGEMENT CONSOLE
GPEDIT.MSC (LOCAL GROUP POLICY) Gpedit.msc is not available in Windows Home editions Why would you want to use this instead of AD GPO?
GROUP POLICY PROCESSING AND PRECEDENCE The Group Policy objects (GPOs) that apply to a user or computer do not all have the same precedence. Settings that are applied later can override settings that are applied earlier. Group Policy settings are processed in the following order: 1.Local Group Policy object 2.Site 3.Domain 4.Organizational Units At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
GROUP POLICY PROCESSING AND PRECEDENCE The group policies at the top will be processed last and have the highest precedence
RESULTANT SET OF POLICY One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.
RESULTANT SET OF POLICY
GPRESULT COMMAND LINE TOOLS GPResult displays the Resultant Set of Policy (RSoP) information for a User or Computer Output of gpresult /R /scope Computer Showing the group policies applied to the computer Run Command Prompt as Administrator for this to work
GPRESULT COMMAND LINE TOOLS Output of gpresult /user %myuser% /R Showing the group policies applied to the user
GROUP POLICY REFRESH AND UPDATES Group Policies are applied when the system starts (Computer policies) and when a user logs on (User policies) Group Policies are updated every 90 minutes by default. This can be changed in group policy Computer or User Configuration\Administrative Templates\System\Group Policy\Set Group Policy Refresh Intervals
GROUP POLICY REFRESH AND UPDATES Group Policies can be updated manually with the gpupdate /force command line tool The screen shot below show the output of gpupdate /force and indicates that a Computer Policy was not applied correctly
GROUP POLICY REFRESH AND UPDATES You have just created or edited a GPO. You run gpupdate /force on a client computer and the output is >User Policy update has completed successfully >Computer Policy update has completed successfully You check that the GPO is applied on the client computer and it is not. What could be wrong?
SECURITY FILTERING Sometimes it is not convenient to apply a GPO based on the OU alone. You can use Security Filtering to allow or prevent a GPO from being applied to specific security groups (of Computers or Users) or to specific users or computers. You allow a group by adding it to the Security Filtering (in the Scope tab) You deny a group by adding it to the Delegation tab and setting the permissions to Deny on Read and Apply Group Policy (click Advanced to see this)
SECURITY FILTERING Allowed groups and users
SECURITY FILTERING Denied groups and users
WMI FILTERING Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. WMI attributes that can be used to filter GPOs are, for example, Hotfix, Software package, OS, Hardware resources, Make & Model. See example -with-wmi-filters-in-group-policy.aspx -with-wmi-filters-in-group-policy.aspx
GROUP POLICY PREFERENCES Group Policy Preferences were introduced in Windows Server 2008 The main difference between GP preferences and GP settings is that the former can be changed by the user and the latter are enforced Group Policy Preferences also allow for a better targeting of the policies
GROUP POLICY PREFERENCES Group Policy preferencesGroup Policy settings Enforcement Preferences are not enforced. User interface is not disabled. Can be refreshed or applied once. Settings are enforced. User interface is disabled. Settings are refreshed. Flexibility Easily create preference items for registry settings and files. Import individual registry settings or entire registry branches from a local or remote computer. Adding policy settings requires application support and creating administrative templates. Cannot create policy settings to manage files and folders. Local PolicyNot available in local Group Policy.Available in local Group Policy. Awareness Supports applications that are not Group Policy-aware. Requires applications that are Group Policy- aware. Storage Original settings are overwritten. Removing the preference item does not restore the original setting. Original settings are not changed. Stored in registry Policy branches. Removing the policy setting restores the original settings. Targeting and Filtering Targeting is specific, with a user interface for each type of targeting item. Supports targeting at the individual preference item level. Filtering is based on Windows Management Instrumentation (WMI), and requires writing WMI queries. Supports filtering at a Group Policy Object (GPO) level. User Interface Provides a familiar, easy-to-use interface for configuring most settings. Provides an alternative user interface for most policy settings.
GROUP POLICY PREFERENCES An example creating a mapped network drive…
GROUP POLICY PREFERENCES …and targeting the Preference to the user p , between 9am and 5pm and if the system disk space is below 20GB